[Ach] Signing

Adi Kriegisch adi at kriegisch.at
Mon Dec 2 12:34:48 CET 2013


> So, in short, we have another whitepaper to wrote ;)
> Ter info, don't know what's your problem with device signing but for security reasons, the recognized CA for drivers is now embedded somewhere in Windows kernel.  You cannot change it and it's different from the computer / user CA store. :-S
> If you didn't have a certificate signed by an authority can sign certificate for use on drivers, you need to boot windows in a development mode where it will basically accept anything :D.
Fotunately it isn't that bad: You may very well install your own
certificate authority into "Trusted Publishers" (machine wide, of course).
Then you only get prompted wether you trust that certificate (and you may
accept software signed by that publisher forever). The dialog looks ok and
not like the whole world is on fire... ;-)
For the signing certificate itself one needs to add
"extendedKeyUsage =" to the openssl.cnf...

-- Adi 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131202/f3df2835/attachment.sig>

More information about the Ach mailing list